<p>When implementing the HTTPS protocol, the website mostly continue to support the HTTP protocol to redirect users to HTTPS when they request a HTTP
version of the website. These redirects are not encrypted and are therefore vulnerable to man in the middle attacks. The <a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security">Strict-Transport-Security policy header</a> (HSTS) set by
an application instructs the web browser to convert any HTTP request to HTTPS.</p>
<p>Web browsers that see the Strict-Transport-Security policy header for the first time record information specified in the header:</p>
<ul>
  <li> the <code>max-age</code> directive which specify how long the policy should be kept on the web browser. </li>
  <li> the <code>includeSubDomains</code> optional directive which specify if the policy should apply on all sub-domains or not. </li>
  <li> the <code>preload</code> optional directive which is not part of the HSTS specification but supported on all modern web browsers. </li>
</ul>
<p>With the <code>preload</code> directive the web browser never connects in HTTP to the website and to use this directive, it is required <a
href="https://hstspreload.org/">to submit</a> the concerned application to a preload service maintained by Google.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The website is accessible with the unencrypted HTTP protocol. </li>
</ul>
<p>There is a risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Implement Strict-Transport-Security policy header, it is recommended to apply this policy to all subdomains (<code>includeSubDomains</code>) and
for at least 6 months (<code>max-age=15552000</code>) or even better for 1 year (<code>max-age=31536000</code>).</p>
<h2>Sensitive Code Example</h2>
<p>In Express.js application the code is sensitive if the <a href="https://www.npmjs.com/package/helmet">helmet</a> or <a
href="https://www.npmjs.com/package/hsts">hsts</a> middleware are disabled or used without recommended values:</p>
<pre>
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(helmet.hsts({
  maxAge: 3153600, // Sensitive, recommended &gt;= 15552000
  includeSubDomains: false // Sensitive, recommended 'true'
}));
</pre>
<h2>Compliant Solution</h2>
<p>In Express.js application a standard way to implement HSTS is with the <a href="https://www.npmjs.com/package/helmet">helmet</a> or <a
href="https://www.npmjs.com/package/hsts">hsts</a> middleware:</p>
<pre>
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(helmet.hsts({
  maxAge: 31536000,
  includeSubDomains: true
})); // Compliant
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
  Exposure</a> </li>
  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security">developer.mozilla.org</a> - Strict Transport
  Security </li>
</ul>
